hxxps://inl03[.]netline[.]com/ltr4/?_m=0a[.]0a2p[.]6dc[.]wo08ka2m02[.]3&pg=prd&ch=&qf=w_thab57

General

Target

https://inl03.netline.com/ltr4/?_m=0a.0a2p.6dc.wo08ka2m02.3&pg=prd&ch=&qf=w_thab57

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2219488043"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "84"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\sf.tradepub.com\ = "84"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tradepub.com\Total = "117"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30901491145ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\sf.tradepub.com\ = "98"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tradepub.com\Total = "84"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0502991145ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AEBE23EA-C607-11ED-ABF7-EA1737350EF8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "117"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385962157"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\sf.tradepub.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tradepub.com\Total = "98"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2208648092"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31021588"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a9700000000020000000000106600000001000020000000b13cae338859824400cfe2e198dbd386cd1453918a59014e6c423de5f2a48350000000000e80000000020000200000005b880fd3ad2d05d230578d033c9e8e4982f60a9134022345da4e9782729bf77220000000e4185e0768da039ed42cc2878a9691fc85edf3e4811e9d36ab2c1b2c84780302400000007cd3f4ccf5aa20343205cab5df2a953b3c6f6fe9a5295979ab4371b0c5934ac87d9de13a974fe1d53156d50749a660d57ebc1941860c2061c2f3fce1627660b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DOMStorage\tradepub.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tradepub.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2208648092"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31021588"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tradepub.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31021588"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "98"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\sf.tradepub.com\ = "117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a9700000000020000000000106600000001000020000000b21dc5c5bff3c22622deb131d48144b8cd1bb03695df1df208c23552a7e0d04f000000000e80000000020000200000004392925dfe5cd2e8b9ebceef2387d2bc25321b129a321826a74f7154fcc85d7d2000000046edd44fcf383461e02b6c753cddf25ca5bc1ef909c55643799a8ac97e0905f940000000a68c72c33e5610c0e3e4131c6400b44b527a28a397a567f904893f0a29afd21c992934c8d2b30c34864db426d65bc656df101b492c31ec019812ed980f6c690e	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4416 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4416 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4416 iexplore.exe
4416 iexplore.exe
1224 IEXPLORE.EXE
1224 IEXPLORE.EXE
1224 IEXPLORE.EXE
1224 IEXPLORE.EXE

pid	process
4416	iexplore.exe

pid	process
4416	iexplore.exe

pid	process
4416	iexplore.exe
4416	iexplore.exe
1224	IEXPLORE.EXE
1224	IEXPLORE.EXE
1224	IEXPLORE.EXE
1224	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 4416 wrote to memory of 1224	4416	iexplore.exe	IEXPLORE.EXE
PID 4416 wrote to memory of 1224	4416	iexplore.exe	IEXPLORE.EXE
PID 4416 wrote to memory of 1224	4416	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://inl03.netline.com/ltr4/?_m=0a.0a2p.6dc.wo08ka2m02.3&pg=prd&ch=&qf=w_thab57
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4416 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C
Filesize
779B

MD5
1205ee97a2ed45fa21699187f4f17775

SHA1
c8022ec92b9b1cd68438ce739ac8aafb05220f1d

SHA256
b85ed6ad3460e4d5234caffdd1e507e97de892eeccfb442d484aea5983fc5b0c

SHA512
0da501d200b4718fb056aa3d195a6c4960c0ec64b373816cacb4bd90ee930536c96e1e41cefe018024b7c2ffcc512540967841da42a5892d61c24635bc978fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
Filesize
246B

MD5
7ec3b534844191bc48f9ef7500321aec

SHA1
cafe23928fa8006000c08d2cace67c5cbc196ecb

SHA256
d4e5d318a68927ac5946815b35299b4df589333985b6605eef4278a620d44f27

SHA512
c6f77215305af3bafabc784d21f5e8019076f22c9d38e282b7104cba14f65d15ff32f330a35d676b087bc109f6d9c01c5e168ca42d1b8ae0e3ec57331be09215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\6HCEFAPY\sf.tradepub[1].xml
Filesize
231B

MD5
8c3189d295d00e9ab26ccec5e505f6dc

SHA1
39f7799641f280d02da94af06a38a9b4fb15ba9b

SHA256
7bfdd0dd94aadbd2e050da22fcfa32e2798ec865ed4d2730385e154632f01afd

SHA512
f044f381ab06a09c11a332a0b63549f6b5a1255f356e299f8081642e5368cf5aa2493f7214d66ffc4c78109ab19b7e3afd74688b582b6d1e742bafce4028bfe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dcpq11e\imagestore.dat
Filesize
1KB

MD5
2369695360570bf3c7e297cbf9913f62

SHA1
524b27b187026eceeb31089d6f032ebae1501c09

SHA256
60b7e709b7ac6369242fc397a9cf722bd7a93e7178bcea8b17856826ef5958bf

SHA512
b8be010391665f0cfea4c5a74c8cc8a3d8bcea8cc6be2f2ab3ce41eba7b8005c83500cf0a81108159e79a645c315a5b9c00786c07ec7f30f80891ae094526edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5AN3FZ97\favicon[2].ico
Filesize
1KB

MD5
7505a76b7caf6d6f2cff9b13dda7ef31

SHA1
97ef881d8c120f77866ef40f0133dbf73a4f372d

SHA256
7558fbaa4a6d3616f427e36c55841bd389d57ec16945a1fa151ddc67ab6e1229

SHA512
6b15a4b5a00057a8a11136ed246f4d340b7fcafc05e35c846ef1449eeedb7fcc38dcff61268855ecdc566fe2bf5448ec2900d23381f63cb6ab6f8f0e348f9e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LZ0AI98S\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit

Analysis

Sharing